Microsoft researchers said they discovered Russian hackers breaching executives’ emails to learn what the Big Tech company knew about the hackers, in a tailored cyber espionage campaign looking for a peek behind the curtain surrounding digital investigators’ work.
Sensitive knowledge about Russian hacking operations resides at Microsoft. The company has unique insight on top cyberattacker groups, and the company has worked with the U.S. intelligence community to blunt cyberattacks targeting Ukraine.
The hackers responsible for the new breaches of Microsoft executives’ emails belong to the same group behind the cyberattack hitting the SolarWinds computer network management software company, which the Biden administration linked to the Russian Foreign Intelligence Service (SVR).
The state-sponsored Midnight Blizzard hackers, which Microsoft has also referred to as Nobelium, led an attack on Microsoft’s corporate systems that was detected earlier this month, the Microsoft Security Response Center disclosed on Friday. The attack began in late November 2023 when the vandals used a password spray attack to infiltrate a test account, Microsoft said on its blog.
The hackers then used the compromised account to access a “very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” Microsoft said on Friday. “We are in the process of notifying employees whose email was accessed.”
The hackers likely utilized information obtained from previous breaches, particularly during the SolarWinds cyberattacks that compromised federal networks, according to Demi Ben-Ari, co-founder of cybersecurity risk company Panorays.
Mr. Ben-Ari, a veteran of the Israeli Air Force, said Microsoft has likely remediated some problems from past hacking but there are always loose ends.
“Eventually what they wanted to compromise were, I won’t even say privileged accounts because they might not have a lot of privileges but they have access to confidential information,” Mr. Ben-Ari said.
Microsoft has not disclosed precisely what was targeted and who internally was affected, but many people working at the company have handled matters involving the cyberattackers. Some employees familiar with Nobelium’s methods are publicly disclosed on Microsoft’s websites.
The company made a four-part video series called “Decoding Nobelium” published in 2021, detailing the Russian hackers’ tactics and techniques.
The Big Tech titan has also not shied away from publicly calling out the Russian hackers’ work. For example, Microsoft said in August that it found the same Russian hacking group leveraging Microsoft’s conferencing platforms to victimize government accounts and other espionage targets.
Microsoft’s interactions with governments are very likely of interest to the Russian-sponsored hackers as well.
Microsoft was among the private tech companies that teamed up with the U.S. intelligence community to thwart Russian cyberattackers before they could corrupt Ukrainian networks and advance on U.S. systems, U.S. officials said last year.
Amb. Nathaniel C. Fick shed new light on Microsoft’s cybersecurity work in Ukraine during remarks to the German Marshall Fund last year. He said Russian cyberattacks were not as effective as many feared inside Ukraine partially because of Microsoft’s near real-time collaboration with the U.S. intelligence community.
Whether the Russian hackers’ espionage is retaliatory for any of the Big Tech company’s previous work remains unknown. Microsoft declined to answer questions, including about the hackers’ motivation and targeting.
Microsoft is working with law enforcement in response to the latest hack, according to a Friday filing by the company with the U.S. Securities and Exchange Commission.
Microsoft has also said it was shifting the balance it calibrates between security and business risk.
“For Microsoft, this incident has highlighted the urgent need to move even faster,” the company said in its blog post. “We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”
Microsoft said the attack was not the result of a vulnerability in its products and that the company has no evidence that customer environments were affected, but that it would notify customers if any additional action was necessary.
Microsoft told the SEC it removed the hackers’ access to affected email accounts on Jan. 13, the day after the breach was detected.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.